1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site-to-Site PPTP in Tomato 1.28 by Shibby

Discussion in 'Tomato Firmware' started by mbryan718, Dec 6, 2013.

  1. mbryan718

    mbryan718 Reformed Router Member

    I want create a site-to-site PPTP VPN using Shibby Tomato. I currently have this working and can ping from site-to-site via the router itself — but the clients on either end cannot see each other.

    Is there a tutorial or documentation that gives the steps to do this? I've done everything I know to do based on my own knowledge, but I don't understand why my clients can't see each other across the tunnel? It's a routing issue between the router and it's dhcp clients I know — but why isn't the router "ROUTING" the VPN routes for the clients?

    I've googled all over for a tutorial or instructions and have come up with nothing. Any ideas?

    Thanks guys.
     
  2. shibby20

    shibby20 Network Guru Member

    why pptp? openvpn via static key is better solution.
     
  3. quihong

    quihong Serious Server Member

    mbryan718 likes this.
  4. mbryan718

    mbryan718 Reformed Router Member

    OpenVPN would be great! I will definitely give your tutorial a try. I'm using Shibby's Tomato which has been awesome so far with this Asus NT-66U .. I'm just wondering why the PPTP routing wasn't working? Weird ..

    Shibby,

    With the PPTP VPN Clients, there's a max limit of SIX .. Is there a maximum limit of SIX clients for OpenVPN too? Also, is there any plan of increasing that limit? By the way, I'm moving all of my routers to your firmware (from DD-WRT). Very nice work sir.

    Quihong, I'll post back my results after using your tutorial.
     
  5. mbryan718

    mbryan718 Reformed Router Member

    Qui Hong:

    Sorry it's been so long .. but I just went through your tutorial tonight and it was great! I have our main location plus one remote site running perfectly. All hosts on both sides can see each other. That's what I wanted.

    Now, I need to know how to add additional remote sites to this VPN. I figured it would be pretty simple -- just regenerating certs for the additional Site2SiteClient, giving it a new common (unique) name. Well, it didn't work out, and plus, when turning up SiteC, it would knock down the tunnel for SiteB. Is this setup only good for 1 remote site? If not, then is there a limit how many remote sites I can have? We have 5 sites and I was hoping to get them all connected together using OpenVPN on our routers.

    Thanks in advance! ;)
     
  6. rs232

    rs232 Network Guru Member

    Few points:

    - bringing up a new tunnel must not knock down the existing tunnel connections. If that's the case investigate the issue first, then look into implementing something more complex

    - I assume you are talking about an hub-and-spoke VPN topology with one central devices and 5 (or more) clients

    - watch out using certificates against static key. yes you increase the security level but you also increase the CPU usage (by a lot!). So if you carry on this way you next question I guess is going to be: why VPN throughput is slow? Unless you have demand for high security I would stick to static key only

    - using your device you will have to act on the shell (the GUI will help you only with the first two server sites). Openvpn on tomato was developed on legacy hardware and AFAIK never updated since. The main concern in having more then two sites server and two site clients was the amount of nvram used by the certificates, but with your device this shouldn't be a problem. having say that let me repeat myself: use static keys

    - Following this procedure below (save the script in e.f. cifs/usb/jffs and run it in the wan-up script):

    Code:
    ##Server3 accepting connections from site3
    sleep 5
    
    port=1195
    tunif=tun23
    
    mkdir /tmp/etc/openvpn/fw
    cd /tmp/etc/openvpn/fw
    echo "/usr/sbin/iptables -t nat -I PREROUTING -p udp --dport $port -j ACCEPT
    /usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
    /usr/sbin/iptables -I INPUT -i $tunif -j ACCEPT
    /usr/sbin/iptables -I FORWARD -i $tunif -j ACCEPT" > server3-fw.sh
    chmod 777 server3-fw.sh
    ./server3-fw.sh
    
    mkdir /tmp/etc/openvpn/server3/
    cd /tmp/etc/openvpn
    ln -s /usr/sbin/openvpn vpnserver3
    cd /tmp/etc/openvpn/server3
    echo "daemon
    ifconfig 172.10.0.1 172.10.0.2
    proto udp
    port $port
    dev $tunif
    cipher AES-128-CBC
    keepalive 15 60
    verb 3
    secret static.key
    status-version 2
    status status
    script-security 2
    route 172.10.11.0 255.255.255.0
    fast-io
    persist-tun" > /tmp/etc/openvpn/server3/config.ovpn
    chmod 777 /tmp/etc/openvpn/server3/config.ovpn
    
    sleep 5
    
    cp /etc/openvpn/server1/static.key /etc/openvpn/server3/
    /etc/openvpn/vpnserver3 --cd /etc/openvpn/server3 --config config.ovpn
    
    NOTE: I do use the same key for my links thus explained the last 2 lines in the script above (the static key used by server1 will be used in this case)
    NOTE2: you need a script like this on the HUB site for each client you want to connect.
    NOTE3: you need a different port/tunnel interface/serverX reference for each script/client-site, the one above works for server 3 only.

    EXAMPLE: Say you need server 4
    a) change the port to e.g. 1196
    b) tunnel interface to tun24 (keep tun2x for servers and tun1x for clients)
    c) replace everywhere server3 references to server4
    d) adjust the routing in the script to match the client LAN subnet

    e) on each client side you should be able to connect just using the client GUI instead

    NOTE4: with this design your limit is your HUB device RAM/CPU

    HTH
    rs232
     
    Last edited: Apr 26, 2014
  7. quihong

    quihong Serious Server Member

    Hi @mbryan718,

    Glad the tutorial somewhat worked out for you. I actually haven't tested the setup with 3 or more Sites, however I can't see a reason why it wouldn't work. I've generated additional certs and added a couple of Client to Site OpenVPN clients with no issues.

    @rs323 brought up some interesting things...

    VPN Topology - not sure what your plan is here. The overall design is most likely going to be dependent on your hardware, bandwidth and traffic pattern.

    Static Keys versus Certificates - I can not comment on the performance differences, but when I first joined this forum 4 years ago (under a different name), I asked about setting up a Site to Site OpenVPN using static keys and it was recommended to use TLS/Certs to simplify the routing (which it totally did).

    NVRAM - the tutorial minimizes the use of the valuable nvram space by referencing the cert/keys files stored on the USB drive versus actually pasting in the cert/keys into the GUI.
     

Share This Page